seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD

  jeq #14, good           /* __NR_rt_sigprocmask */

  jeq #13, good           /* __NR_rt_sigaction */

  jeq #35, good           /* __NR_nanosleep */

  bad: ret #0             /* SECCOMP_RET_KILL */

  bad: ret #0             /* SECCOMP_RET_KILL_THREAD */

  good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */

The above example code can be placed into a file (here called "foo"), and

A seccomp filter may return any of the following values. If multiple

filters exist, the return value for the evaluation of a given system

call will always use the highest precedent value. (For example,

``SECCOMP_RET_KILL`` will always take precedence.)

``SECCOMP_RET_KILL_THREAD`` will always take precedence.)

In precedence order, they are:

``SECCOMP_RET_KILL``:

``SECCOMP_RET_KILL_THREAD``:

	Results in the task exiting immediately without executing the

	system call.  The exit status of the task (``status & 0x7f``) will

	be ``SIGSYS``, not ``SIGKILL``.

 * The ordering ensures that a min_t() over composed return values always

 * selects the least permissive choice.

 */

#define SECCOMP_RET_KILL	0x00000000U /* kill the task immediately */

#define SECCOMP_RET_KILL_THREAD	0x00000000U /* kill the thread */

#define SECCOMP_RET_KILL	SECCOMP_RET_KILL_THREAD

#define SECCOMP_RET_TRAP	0x00030000U /* disallow and force a SIGSYS */

#define SECCOMP_RET_ERRNO	0x00050000U /* returns an errno */

#define SECCOMP_RET_TRACE	0x7ff00000U /* pass to a tracer or disallow */

	/* Ensure unexpected behavior doesn't result in failing open. */

	if (unlikely(WARN_ON(f == NULL)))

		return SECCOMP_RET_KILL;

		return SECCOMP_RET_KILL_THREAD;

	if (!sd) {

		populate_seccomp_data(&sd_local);

#endif	/* CONFIG_SECCOMP_FILTER */

/* For use with seccomp_actions_logged */

#define SECCOMP_LOG_KILL		(1 << 0)

#define SECCOMP_LOG_KILL_THREAD		(1 << 0)

#define SECCOMP_LOG_TRAP		(1 << 2)

#define SECCOMP_LOG_ERRNO		(1 << 3)

#define SECCOMP_LOG_TRACE		(1 << 4)

#define SECCOMP_LOG_LOG			(1 << 5)

#define SECCOMP_LOG_ALLOW		(1 << 6)

static u32 seccomp_actions_logged = SECCOMP_LOG_KILL  | SECCOMP_LOG_TRAP  |

				    SECCOMP_LOG_ERRNO | SECCOMP_LOG_TRACE |

static u32 seccomp_actions_logged = SECCOMP_LOG_KILL_THREAD |

				    SECCOMP_LOG_TRAP  |

				    SECCOMP_LOG_ERRNO |

				    SECCOMP_LOG_TRACE |

				    SECCOMP_LOG_LOG;

static inline void seccomp_log(unsigned long syscall, long signr, u32 action,

	case SECCOMP_RET_LOG:

		log = seccomp_actions_logged & SECCOMP_LOG_LOG;

		break;

	case SECCOMP_RET_KILL:

	case SECCOMP_RET_KILL_THREAD:

	default:

		log = seccomp_actions_logged & SECCOMP_LOG_KILL;

		log = seccomp_actions_logged & SECCOMP_LOG_KILL_THREAD;

	}

	/*

	 * Force an audit message to be emitted when the action is RET_KILL,

	 * Force an audit message to be emitted when the action is RET_KILL_*,

	 * RET_LOG, or the FILTER_FLAG_LOG bit was set and the action is

	 * allowed to be logged by the admin.

	 */

#ifdef SECCOMP_DEBUG

	dump_stack();

#endif

	seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL, true);

	seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL_THREAD, true);

	do_exit(SIGKILL);

}

		 */

		return 0;

	case SECCOMP_RET_KILL:

	case SECCOMP_RET_KILL_THREAD:

	default:

		seccomp_log(this_syscall, SIGSYS, action, true);

		/* Dump core only if this is the last remaining thread. */

		return -EFAULT;

	switch (action) {

	case SECCOMP_RET_KILL:

	case SECCOMP_RET_KILL_THREAD:

	case SECCOMP_RET_TRAP:

	case SECCOMP_RET_ERRNO:

	case SECCOMP_RET_TRACE:

#ifdef CONFIG_SYSCTL

/* Human readable action names for friendly sysctl interaction */

#define SECCOMP_RET_KILL_NAME		"kill"

#define SECCOMP_RET_KILL_THREAD_NAME	"kill_thread"

#define SECCOMP_RET_TRAP_NAME		"trap"

#define SECCOMP_RET_ERRNO_NAME		"errno"

#define SECCOMP_RET_TRACE_NAME		"trace"

#define SECCOMP_RET_LOG_NAME		"log"

#define SECCOMP_RET_ALLOW_NAME		"allow"

static const char seccomp_actions_avail[] = SECCOMP_RET_KILL_NAME	" "

static const char seccomp_actions_avail[] =

				SECCOMP_RET_KILL_THREAD_NAME	" "

				SECCOMP_RET_TRAP_NAME		" "

				SECCOMP_RET_ERRNO_NAME		" "

				SECCOMP_RET_TRACE_NAME		" "

};

static const struct seccomp_log_name seccomp_log_names[] = {

	{ SECCOMP_LOG_KILL, SECCOMP_RET_KILL_NAME },

	{ SECCOMP_LOG_KILL_THREAD, SECCOMP_RET_KILL_THREAD_NAME },

	{ SECCOMP_LOG_TRAP, SECCOMP_RET_TRAP_NAME },

	{ SECCOMP_LOG_ERRNO, SECCOMP_RET_ERRNO_NAME },

	{ SECCOMP_LOG_TRACE, SECCOMP_RET_TRACE_NAME },

		/* Check that read is only using stdin. */

		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)),

		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDIN_FILENO, 4, 0),

		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),

		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_THREAD),

		/* Check that write is only using stdout */

		BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)),

		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),

		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP),

		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),

		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL_THREAD),

	};

	struct sock_fprog prog = {

		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),